How to remove a (alternative) domain from a Lets Encrypt (SAN) certificate using certbot

Written by Claudio Kuenzler - 0 comments

Published on January 17th 2022 - Listed in Security TLS Internet

Let's Encrypt certificates allow the creation of SAN (Subject Alternative Names) certificates, which contain multiple domain names or sub domains:

root@linux ~ # certbot -n certonly --expand --webroot -w /var/www/letsencrypt -d www.example.com -d example.com -d beta.example.com -d my.example.com

The certificate can then be listed using certbot certificates:

root@linux ~ # certbot certificates
[...]
Found the following certs:
  Certificate Name: www.example.com
    Domains: www.example.com beta.example.com my.example.com example.com
    Expiry Date: 2022-01-21 16:00:45+00:00 (VALID: 4 days)
    Certificate Path: /etc/letsencrypt/live/www.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.example.com/privkey.pem
[...]

Note: the certificate name (identifier) is usually the first domain in the list.

The automatic renewal process (certbot renew) is applied for all domains in that certificate. But if one of the domains in the list fails, the renewal doesn't work:

2022-01-17 07:21:30,723:WARNING:certbot.renewal:Attempting to renew cert (www.example.com) from /etc/letsencrypt/renewal/www.example.com.conf produced an unexpected error: Failed authorization procedure. beta.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://beta.example.com/.well-known/acme-challenge/U4ixi_WUxNDKSDdYxhwvsAe-gt92PFhy493SCmJFGHg [xxx.xxx.xxx.xxx]: "\n\n\n<!DOCTYPE html>\n<html>\n    <head>\n    <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\">\n    <meta http-equi". Skipping.

In this particular situation, the beta.example.com sub domain had a DNS change and now points to a different IP. Therefore the Let's Encrypt ACME bot was unable to verify the domain - leading to a renewal error for the whole certificate.

To remove a (sub-) domain from the certificate, use the --cert-name parameter with the certificate name identifier and simply only list the other (remaining) domains:

root@linux ~ # certbot -n certonly --cert-name www.example.com --expand --webroot -w /var/www/letsencrypt -d www.example.com -d my.example.com -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.example.com/privkey.pem
   Your cert will expire on 2022-04-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

As the beta sub domain was not listed with the -d parameter, this tells certbot to remove the beta sub domain from the certificate. This can be verified using certbot certificates again:

root@linux ~ # certbot certificates --cert-name www.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following matching certs:
  Certificate Name: www.example.com
    Domains: www.example.com my.example.com example.com
    Expiry Date: 2022-04-17 09:33:10+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.example.com/privkey.pem

Add a comment

Comments (newest first)

No comments yet.